classAd 4.0 - usermanual

Security and rights management

Version 3.0 of ClassAd has several new features and options to handle users and their rights. Generally ClassAd has three different kinds of rights:

Every registered and logged in user has the right to submit an ad. Using the parameter $SEC_UNKNOWN_SUB in the configuration file inc/config.inc.php you can define, if unknown and not logged in users also should have the privilege to do that. The user can submit ads to the classified ads system, if the above mentioned parameter is set to true.

To avoid any misuse of the ad submit function, a direct entry into the database can be prevented. The non-directly entered ad receives a waiting status and remains there until it is released by an Administrator. This can be done via e-mail or Administrator's console (edit ads). If an ad is released using the e-mail link, this process is secured by a code, only valid for this special ad.

The define which user has the right to do a direct submission, depends on whether the user belongs to a special user group (user profile) and the settings in the configuration file inc/config.inc.php. At the moment the following user groups are predefined in ClassAd 3.0:

This right management can and will be extended in further versions of ClassAd. Please note that all rights given to an user are additive. That mens, a user can belong to more than one group and gets the rights of all groups he belongs to.

There are corresponding parameters for all user groups in the configuration file inc/config.inc.php:

Parameter Meaning
$SEC_DIR_SUB_UNKNOWN Right for unregistered or not logged on users to submit an ad directly to the database (w/o Administrator check)
$SEC_DIR_SUB_USER Right for registered and logged on users to submit an ad directly to the database
$SEC_DIR_SUB_AUTHUSER Right for authenticated users to submit an ad directly to the database
$SEC_DIR_SUB_COMMERCIAL Right for commercial users to submit an ad directly to the database
$SEC_SUB_ADMIN_INFO
If there is no need to inform the Administrator about an ad in waiting status, because the user submits directly to the database, this parameter allows the Administrator to get an information about the newly added ad

Administrators and Debug Administrators always have the privilege to submit an ad directly.

ClassAd Version 3.0 implements a system that gives you the possibility to define a closed user group. Every ad and every category can be defined as part of the closed system (e.g. for age restricted ads). These closed areas are integrated in the "open" classified ad system.

An assignment of an user to the closed user group can be done in the Administrator's console (edit user). When a new user is created, he is not member of the closed user group.

The following paramters can be found in the configuration file inc/config.inc.php to define the behavior of closed user groups:

Parameter Function
$SEC_FORCE_AGE_REST Activate the closed user group function (Value: true). When deactived, user rights are not checked when accessing ads and categories
$SEC_HIDE_AGEREST_CATS If closed user group feature is activated, the display of categories belonging to the closed system can be suppressed (view ad, list categories, featured ads, search etc.) (Value: true), so that only members of the user group can see them.
If this parameter is set to false, a little icon will be shown in front of the category name indicating that this category belongs to closed user group.
Note: Even if a user is able to view the category, he has no right to access it!
$SEC_HIDE_AGEREST_ADS Corresponding to $SEC_HIDE_AGEREST_CATS. Suppresses the display of ads belonging to closed user group.

Using optional-in procedure

Avoidance of spam and legal necessities led ClassAd development to integrate a new user registration procedure. It's called 'optinal-in', which means, that a user has to confirm his registration (and his e-mail).

1.) User registers and defines username and password

2.) User gets an e-mail to the account specified during the registration. This e-mail contains a link to activate the user account. Before his activation, the user is not allowed to log in.

3.) If an user account is not activated within a period of time, the user registration is deleted.

The main purposes of this procedure are: